back signatures

David Shaw dshaw at
Mon Nov 7 16:36:30 CET 2005

On Mon, Nov 07, 2005 at 04:17:20PM +0100, Christoph Anton Mitterer wrote:
> David Shaw wrote:
> >I'm afraid I don't understand what you're asking here.  How backsigs
> >work?
> > 
> >
> And what is the "theory" behind them,... e.g. how do they improve security?

Current signing subkeys have a weakness in that they can be moved from
one key to another without the key owner's approval.

This means that if I sign a message with a signing subkey, someone
else can lift the (public) signing subkey off of my key, attach it to
theirs, and issue a new binding signature for it.  This person can
then claim to be the person who signed the message.

Note that this person doesn't have the secret key or the passphrase -
they can't issue NEW signatures.  They can only claim to be the signer
for existing signatures.  They also can't stop the original signer
from claiming ownership.  If it comes down to two people, both
claiming they issued a particular signature, just ask them both to
sign a challenge (a different challenge for each).  The impostor won't
be able to.

Anyway, back signatures avoid all that by adding a signature from the
signing subkey on the primary key.  This proves that the owner of the
signing subkey is not an impostor, since the impostor could not issue
such a signature.


More information about the Gnupg-users mailing list